Staff

@Lestrad Hello! The “Set network location” message in Windows is thrown by Windows' Network Location Awareness at each network change to help the system decide whether to treat the new network (including virtual private networks of course) as public or private. WireGuard creates a new virtual interface at the beginning of each session and destroys it at the end of the session. This is probably the main reason triggering the prompt, but the fact that you are accumulating interfaces on interfaces makes us think that you're running a bugged system such as Windows 7 or some antimalware tool which prevents WireGuard from removing the interface at the end of the session. A bug in Windows 7 caused this prompt to be re-displayed multiple times for known networks, even when there was no network change, and even when the user ticked the “Always select Public and don’t ask me again” checkbox (we assume you have already done so - if not, please do it and see whether the problem gets resolved). In case you run Windows 7: as a first action, delete all the virtual interfaces while Eddie is not running. Make sure you don't run interfering antimalware tools. Test again. If the problem persists and you have already tried to force the VPN as always public to no effect, possible workarounds/patches are described in Windows forums. Before anything else please try to change the network location of the virtual network adapter (note: you must have administrator privileges). If you need remote port forwarding please make sure to set it to "Public" network. If the above does not solve the problem, please check this article too, as it could be related: https://support.microsoft.com/en-us/topic/a-set-network-location-dialog-box-appears-when-you-first-log-on-to-a-domain-joined-windows-7-based-client-computer-bac51a2c-b657-3f5f-75bc-e81fd8268c91 However, please consider to upgrade your system as Windows 7 has been abandoned a long ago and it is considered insecure and unreliable. If you don't run Windows 7, and you also don't run possible interfering tools, and the problem persists, please contact Microsoft support, because this bug should have been fixed ever since Windows 8 was released. Kind regards

Hello! p2p is allowed on pool 2 but it can be really used only by those programs that let you configure which IP address to announce (non existing, as far as we know). More in general, pool 2 is not suitable for any program which announces itself autonomously. In AirVPN infrastructure, the VPN traffic reaches the Internet through one exit IP address, but "pool 2" is the set of ports of another IP address (let's name it exit IP address 2, in brief exit 2). If a program receives an unsolicited incoming packet from the Internet through exit 2, it will reply properly. This happens whenever you advertise on your own how to reach your service (a web or FTP server, a game server, and so on). However, with p2p programs, it's the program itself which must advertise. DHT or a tracker will record the address they receive the advertisement (of the port etc.) from, and they will say to other peers that your p2p program is reachable on exit 1, with its pool 1 ports; however, if you have remotely forwarded a pool 2 port, peers would never be able to reach your program, because they would send packets to a port of another IP address (exit 1, the address recorded by DHT and/or trackers). The problem could be resolved by manual setting (see for example https://userpages.umbc.edu/~hamilton/btclientconfig.html#BTConfig ) when you need to seed only - additional tests are required. This is an important limitation that might be overcome in the future, for example by letting the user pick which exit IP address its traffic must go to the Internet through. In the meantime, by using pool 2 (and when necessary additional pools) for anything different from p2p and crypto wallets, port exhaustion problem is solved (in most cases only 1 forwarded port is needed for p2p). Kind regards

Hello! Yes, it is fine. Your domain name will resolve into the proper exit IP address of VPN server the corresponding device is connected to, therefore all the ports on the same pool linked to the same device will be reachable through the same IP address (hence the same domain name). Kind regards

Hello! We're not sure we understand the question. If you mean how to connect a machine through a specific certificate/key (i.e. a "device" in the user panel), then it's simple: on Eddie GUI's main window, just under the login credential fields, you have a combo box which will let you pick any certificate/key (if the box does not appear, log the account out and in again) on Eddie CLI, you can set it with the option --key=key_name on Bluetit, you may either specify the key on the bluetit.rc run control file (option airkey key_name) or on the Goldcrest configuration file or line option through the option air-key key_name Kind regards

Hello! We checked thoroughly and all of your tickets have been answered in an average time of 8 hours. All of them. EDIT: we want to add to make it clear to the readers and to be fair to the support team that your last ticket was replied to in 1 hour and 15 minutes. Kind regards

Hello! Currently not, Hummingbird searches in "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/homebrew/bin:/opt/homebrew/sbin". Reading the $PATH variable and add it to the search paths is an option we will consider for sure. Should WireGuard library become available for macOS too we will of course use it. As a momentary patch you can consider a symlink for wg and wireguard-go - both are used by Hummingbird. No, we don't, sorry. Hummingbird makes the OpenVPN3-AirVPN library available to macOS users in a single comfortable binary, to boost performance remarkably over OpenVPN 2 or the OpenVPN3 mainline library, but for WireGuard it is just a wrapper of the tools as we don't have the library in this environment. Since in macOS WireGuard does not run in the kernel space (no kernel module) this core feature for performance is lost and running wg tools or Hummingbird is most probably equivalent. We can't even design a kernel extension (not even if we had the time to plan it) because kexts are no longer allowed. However, with Hummingbird you have a built-in Network Lock (through pf) which wg tools don't offer and that may come very handy to prevent any possible traffic leak outside the VPN tunnel. Kind regards

@Blatantly0156 Hello! It sounds like you are experiencing this bug: https://github.com/qdm12/gluetun/issues/1407 Note this: "It might be because there is a listener going through the tunnel, but gluetun destroys that tunnel on an internal vpn restart and re-creates it. I had the same issue with the http client fetching version info/public ip info from within gluetun, and the fix was to close 'idle connections' for the http client when the tunnel is up again". Therefore, unless something changed in Gluetun, an effective solution is restarting qBittorrent (the 1st workaround explained in the bug thread). Also, try to increase the HEALTH_VPN_DURATION_INITIAL config option as various users reported that this change solved the problem. If all of the above fails, try to bind qBittorrent to the actual tun interface and make sure you're running the latest qBittorrent version. Anyway, not an AirVPN side problem, as you may be already aware of. Kind regards

Hello! It's not an expected behavior... Does the same happen with Eddie 2.24.2 beta version? Kind regards

Hello! Please remember that if the VPN connection takes place from a device that is not compromised, the upstream compromised devices will be unable to understand the traffic content, including the real destinations and sources. Your ISP does not even need to compromise the ISP router, it can just watch your traffic on their upstream equipment (data retention, DPI....). One of the core features of the service is exactly preserving data confidentiality and integrity when such data pass through insecure lines and devices. Therefore, if the connection is established by the Asus router, it is vital that the router and all the downstream devices connected to it, and their line(s), are not compromised, while it does not matter whether the upstream devices and lines of your ISP are compromised, as that will not affect data confidentiality and integrity up to the VPN servers. Always use end-to-end encryption in addition, in order to prevent our own servers from seeing the payload of your traffic and protect content integrity and confidentiality between the VPN server and the final recipient/source of the packets. Kind regards

Hello! UFW is an iptables wrapper which adds its own chains. To complicate the matter even more, UFW does not work with nftables, but probably your system is based on nftables (unless it is a very old distribution). Therefore translations iptables<->nftables are continuously needed and we have seen that some bug affects them. You should consider to drop UFW and use directly the nft userspace tool to set rules, or iptables-nft if you prefer the iptables syntax. In this last case, force Eddie to use iptables too (if Eddie finds nft in your system, it will use it) in the "Preferences" > "Network Lock" window. Kind regards

Hello! Please set permanent firewall rules that block every packet out (set the OUTPUT policy to DROP). Remember (important) to add ACCEPT rules for the following destinations: 255.255.255.255 (DHCPv4), ff02::1:2 (DHCPv6), 127.0.0.1 (localhost) and to your local network. When Network Lock is engaged, this total block will be lifted and only AirVPN servers will be reachable. When Network Lock is disengaged the previous block all rules will be restored. Kind regards

Hello! The paramount IPv6 privacy problem, which was considered by many as a critical or fatal flaw compromising adoption and usage, has been resolved through privacy extensions: https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac/ Nowadays, ten years after that article by The Internet Society and 17 (seventeen) years after RFC 4941 virtually all widespread systems have finally adopted the very much needed privacy extensions. However, one bad apple may compromise the whole local network. See for example this paper: https://arxiv.org/abs/2203.08946 where the authors show how a single device at home that encodes its MAC address into the IPv6 address can be utilized as a tracking identifier for the entire end-user prefix. Therefore, it is good practice to verify with care every and each device and making sure that their Operating Systems implement the privacy extensions. Other than that, we can't see any serious hindrance to adopt IPv6 as far as it pertains to privacy. Furthermore, in AirVPN we picked an unorthodox approach, i.e. we implemented NAT66 with ULA, as it is one of those rare cases where it comes handy to strengthen the anonymity layer (a thoughtful analysis of the pros and cons of NAT in IPv6 can be found in the following article for example https://blogs.infoblox.com/ipv6-coe/you-thought-there-was-no-nat-for-ipv6-but-nat-still-exists/ while a pragmatic approach is here: https://blog.ipspace.net/2013/09/to-ula-or-not-to-ula-thats-question/). Switching from privacy to security, probably an informed choice can start by reading this article, that also includes other precious sources, again by the Internet Society: https://www.internetsociety.org/deploy360/ipv6/security/faq/ Kind regards

Hello! No, it is not mandatory. Please make sure not to tick "Remember me" in the sign in box. A logout due to inactivity will then be enforced. We will re-check with the web site maintainers if it's the case to lower the timeout. We have never operated a server in Hungary throughout AirVPN history. You must be confusing AirVPN with some other service. Please note that the area is well covered as we have servers in Serbia, Romania, Austria and Czech Republic. Kind regards

Ah sorry, I've only been really working on wireguard config with the wireguard client, is the alternate one(s) available via DNS? because the airdns.org domains only ever resolve to the same number of addresses as there are servers for the region/country Hello! WireGuard is available on entry IP addresses 1 and 3. Specific areas (country, continent, planet) domain names are available for every entry IP address. Please see here: https://airvpn.org/faq/servers_ip/ Kind regards

@vpn.home3 Hello! A common cause of this error is trying to import a configuration file aimed at an OpenVPN version different from the one your system runs. For example OpenVPN 2.4 does not support various OpenVPN 2.5 new directives. Please check the OpenVPN version your Asus router runs and generate the file accordingly. On the Configuration Generator please turn on the "Advanced" switch in order to see the "OpenVPN profile" combo box that lets you choose the version (2.4, 2.5, 2.6, 2.6 no-dco, 3). You can manage your keys anytime from your AirVPN account control panel (enter it by clicking "Client Area" from the upper menu of the web site). You can delete or renew a certificate/key, or you can create new, multiple certificates and keys. This is a feature AirVPN supports since so many years ago, please see here: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ Kind regards

Hello! Currently not, but: https://airvpn.org/forums/topic/63545-new-remote-port-forwarding-system-expansion-with-pools/?do=findComment&comment=239145 However, if you need the same IP address, that option is not relevant for you in this case. Kind regards

Hello! Pool 1 ports are the ports of exit-IP address 1, that's also the exit-IP address of all the traffic except the traffic to pool 2 and its replies. You can always check which is which on your port panel by clicking the Test button of the port you want to check. Kind regards

Hello! Yes, totally correct, at the moment. We do not despise the idea of offering control over exit addresses as well (this is something to be done very carefully, however), we await feedback from the community. Kind regards

IMPORTANT UPDATE 2025-04-03 - PARTS THAT ARE NO MORE VALID APPEAR WITH STRIKE THROUGH CHARACTERS Hello! We're very glad to announce a remarkable expansion of our inbound remote port forwarding system aimed at avoiding once and for all the port exhaustion problem. The comfort and the growth problem In the AirVPN "Port Forwarding" service, unlike some of our competitors we grant that assigned ports are not server specific. We also ensure that they remain permanently reserved to an account for as long as any valid plan is active. This unique system offers unparalleled comfort as you don't have to worry about server switches, zone selections and program re-configurations. However, ports are only 65536, because the space reserved for them in a TCP/IP packet header is 2 bytes, and the inconvenience of the great comfort brought by the AirVPN service is that the port exhaustion is nearing as more and more users decide to use the service. A "no compromise" solution Our goal was to avoid port exhaustion while maintaining maximum comfort. We are introducing a new system specifically designed to achieve this goal. Now we allocate not only a port number, but a port number associated with a port pool. For example a port on pool :1 can be assigned to a user, and the same port number in pool :2 can be assigned to another user. Existing assigned port will come from the first pool (:1). Currently we offer two pools, but more pools can be added whenever necessary. Each user is assigned a specific exit IP address and therefore can access a specific port pool. While a pool nears exhaustion, new registering users are assigned to a new pool. With this method, port exhaustion is postponed indefinitely while the comfort of the service is preserved. A user never bounces back and forth different addresses and does not need to discern pools. The port panel will always show the correct IP address your node is reachable on. Furthermore DDNS will also resolve into the correct address as usual. NOTE: if you are a user who used the previous system with pool 1 and pool 2 ports, and you have a mixture of pool 1 and pool 2 ports, your setup does not change at the moment. However, as time passes by, you will have the option to bring back all of your ports to the same pool, therefore you will not have to worry anymore about different pools and specific, p2p-suitable pools. How it works Each Air VPN server sends out clients' VPN traffic through a shared exit IP address. From now on, AirVPN servers feature multiple exit IP addresses, each of which is linked to a user. Therefore we can determine which pool a port/address is associated with and route traffic accordingly. The implications for AirVPN users and customers The obvious good impact is that port availability increases dramatically. The implementation is truly scalable: the infrastructure may add just one address per VPN server to have an entirely new pool of (65536-2048) ports with no impact at all to users who had previously picked to forward ports remotely. Each user can rely indefinitely, as long as the account has a valid plan, on the same ports and the same exit-IP address. The new system is not difficult at all and extremely similar to the previous one: simply use DDNS (*) names with port forwarding, and not the direct IP address. Your account name(s) based on AirVPN's DDNS will always resolve into the correct server's exit-IP address related to the pool of your assigned port. If you prefer to rely on IP addresses or anyway you don't want to define domain names through AirVPN's DDNS, you can find the correct IP address used by clicking the Test Open button available in your AirVPN account port panel. Please note that this IP address could change over time, so domain names defined by DDNS are a more comfortable solution. There is only a modest caveat (which could be resolved in the future), please see below. Caveat Any setup not involving manual communication on how to connect to a service, as it happens with a p2p program, does not need domain names at all. If a program transmits autonomously how it can be reached (typical examples: some blockchain wallet programs, all torrent programs), at this stage please make sure you forward a port from pool 1 for those programs. For p2p programs that allow manual announcement configuration of the IP address, you can also use pool 2. (*) DDNS is a service offered automatically for free to all accounts and included on every and each AirVPN plan. Kind regards & datalove AirVPN Staff

Hello! The selection mask which opens up when you proceed to import files is the Android selector, not managed by Eddie. When you click the import icon on the VPN PROFILE view Eddie invokes the selector and waits for its answer. We haven't noticed a malfunction in FireOS selector, we will investigate. We will update the thread if we find anything relevant. Kind regards

Hello! Maybe not for the OP as he/she wrote "without leaving AirVPN's network", but in general it could be, provided that the user is fine with Network Lock disabled. With Network Lock engaged, the user wanting to adopt this solution and at same time wanting Network Lock can improve the setup by inserting on top a specific input rule allowing packets to sshd through the physical network interface after Network Lock has been applied (because at the activation the previous rules are flushed). Furthermore, to avoid correlations sshd listening port should not be remotely forwarded by the AirVPN account since incoming connections through the VPN interface wouldn't be needed anymore. Kind regards

Hello! We added the end date on the first post, thanks. Kind regards

Hello! You can rely on inbound remote port forwarding used by the remote server, please see here: https://airvpn.org/faq/port_forwarding/ Configure sshd to listen to the remotely forwarded port, preferably on all interfaces, in order to avoid a potential lock out of remote ssh connections (if the VPN connection is not established, sshd should remain reachable on the server's real IP address), and restart sshd. Please make sure that your devices and the remote server connect to either different VPN servers (simpler solution), or by using different keys, in order to prevent conflicts with remote port forwarding. If you decide to connect different devices to the same VPN server, your remote server's ssh port should be remotely forwarded only for the key used by the remote server itself to connect to the VPN server. If necessary, please see here: https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/ On the AirVPN account port panel you can link a port to a single specific "device". Kind regards

@Mytob Hello! While we can see multiple problems, none of them seems strictly related to WireGuard. Please re-check configuration through the official guide here: https://help.ui.com/hc/en-us/articles/16357883221015-UniFi-Gateway-WireGuard-VPN-Client and don't forget to set traffic routes to let devices send traffic over the VPN if necessary. If the problem persists, we would suggest you contact Unifi support. If they reply and manage to solve the problem, please let the community know what the problem was: the info can be useful for future Unifi users. Kind regards

@DarkSilver @ipzipzap Hello! What Eddie does is ask Android to open the file selector. The system knows which one the user has associated for this operation. After that it's all delegated to the file browser app. Now, in FireOS by default the file selector is a bleak and depressing file manager that allows you to see only internal files or so. By installing something decent like Cx File Explorer (or your favorite file manager for Android TV) you should be able to resolve the problem at once. Kind regards